Blockchain security has always been a focus for developers. Blockchain security firm Veridise lately revealed that audits of zero-knowledge (ZK) projects may uncover critical issues. It highlights a crucial aspect of the evolving landscape of the technology and its associated risks.
Veridise analysed 1,605 vulnerability findings from its last 100 audits. It found that the average number of issues per audit is around 16. ZK audits was at 18 and 55% of it contained at least one critical issue. The other audits were at just 27.5%. The issues included smart contracts, wallet integrations, blockchain implementations and relayers.
Zero-knowledge protocols are gaining popularity due to their potential of enhanced privacy and scalability as well. The protocols allow one party to prove to another that a statement is true. No other information is revealed beyond the validity of the statement. The approach is innovative equipped with several benefits. It simultaneously also introduces complex cryptographic challenges.
Veridise CEO and co-founder Jon Stephens said developing a ZK circuit requires precise reasoning about the semantics of the operations in the witness generator. If the semantics are not correctly encoded into constraints, the bugs are therefore inevitable. The complexity makes ZK security challenging and prone to critical vulnerabilities.
The audits of Veridise further revealed that the most common vulnerabilities in decentralized finance (DeFi) projects are logic errors, maintainability issues and data validation problems. It account for 65% of all issues. The issues are more prevalent in ZK audits. Maintainability issues like poor coding practices are not probably security vulnerabilities as these can easily escalate into critical bugs.
More than 200 severe issues were discovered. Logic errors and data validation were the most common issues. Underconstrained circuit issues, Denial of Service (DoS) vulnerabilities and access control problems too were detected but in a less number.